So i have a relatively simple JWT authentication with Spring boot security set up. This includes 3 filters (Jwt, Cors, JwtExceptionHandler) and one Exceptionhandler being registered to HttpSecurity.
Due to Debugging reasons i made the doFilterInternal Method of the JwtRequestFilter empty. That alone creates no problem. If however the shouldNotFilter Method in the same Filter returns true (that means the doFilterInternal will be skipped) i receive the specified Exception:
org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:189)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at at.techsoft.cocos.security.ExceptionHandlerFilter.doFilterInternal(ExceptionHandlerFilter.java:20)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
Here is my WebSecurityConfig class:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private UserDetailsService jwtUserDetailsService;
@Autowired
private ExceptionHandlerFilter exceptionHandlerFilter;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.cors().and().csrf().disable();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint);
httpSecurity.headers().frameOptions().disable();
httpSecurity.authorizeRequests()
.antMatchers(Path.ROOT + "/authentication/**", "/*","/share/**", "/css/**", "/img/**", "/js/**", "/console/**").permitAll()
// Disallow everything else..
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(new CorsFilterConfig(), ChannelProcessingFilter.class);
httpSecurity.addFilterBefore(new JwtRequestFilter(new StandardJwtValidator(tokenUtil, userRepository, jwtUserDetailsService)), UsernamePasswordAuthenticationFilter.class);
httpSecurity
.addFilterBefore(exceptionHandlerFilter, JwtRequestFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(Path.ROOT + "/authentication/", "/*", "/css/**", "/img/**", "/js/**", "/console/**")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
And this is the JwtRequestFilter in question:
public class JwtRequestFilter extends OncePerRequestFilter {
private Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);
final
IJwtValidator validator;
public JwtRequestFilter(IJwtValidator validator) {
this.validator = validator;
}
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
//SecurityContextHolder.getContext().setAuthentication(validator.getAuthenticatioNToken(request));
}
@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
return true;
}
}
When googling for the exception, almost all of the answers include oauth2 authentication, but i do not use oauth2.
I should add that this particular case should never occur, but i feel like there is some underlying problem that is creating bugs in other parts of the system.
EDIT: As per request I'll add the application.properties:
jwt.secret=javainuse
logging.level.at=DEBUG
logging.level.org.springframework.web=DEBUG
spring.jpa.hibernate.ddl-auto= create-drop
spring.jpa.open-in-view=true #i know this shouldn't be used
#database location
#left out for post
# H2
spring.h2.console.enabled=true
spring.h2.console.path=/h2/
spring.datasource.url=#left out again
request headers:
> GET /api/v1/groups/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.5
> Cookie: JSESSIONID=199D19CCD05968D3E8CF0C97A1DE2CD5
> Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0c2FkbWluIiwiZXhwIjoxNTc1NTY0MjcxLCJpYXQiOjE1NzU1NDYyNzF9.dCXO2LFaZy8LTFRCA14gHAhA1kUUSy6pCZ7Joad2z1y1G50PSVC2mPz56odA5LmIHOxhjnZrrxAbGyuX2NWgWQ
> Accept: */*
